Tuesday, July 5, 2016

fsociety - Mr. R0b0t

"Based on the show, Mr. Robot.
This VM has three keys hidden in different locations. Your goal is to
find all three. Each key is progressively difficult to find.
The VM isn't too difficult. There isn't any advanced exploitation or
reverse engineering. The level is considered beginner-intermediate."

Lets Reap Some Bytes

Command: netdiscover -r 10.10.10.0/24

Command: nmap -sS -Pn -p1-65535 10.10.10.4

Sweet. Nothing but http/https running.

Command: nikto -host 10.10.10.4

Nice, word-press.

This should definitely help us get a rev shell.

Command: wpscan --url http://10.10.10.4

WPScan has revealed much of the same normal stuff. Although nikto did not tell us that a robots.txt was present so i will WGet the robots.txt file and see if there are any other clues to be found.

Command: wget http://10.10.10.4/robots.txt

Command: cat robots.txt

So robots.txt reveals our first key and a fsocity.dic file. We use wget to retrieve both.

First Key: 073403c8a58a1f80d943455fb30724b9

User Enumeration:

So i decided to reinvent the wheel and create my own WordPress user enum tool. (WPScan can do this but i wanted to work in some python of my own, for learnings sake).

My Code

****NOTE: I opted not to use threading due to the small amount of enumberation that needs to occur. I would add multithreading if i was to use very large username lists ****

Awesome we have a hit...after 4 hours...because the password was the 2nd to last word in the list....thanks for that...

Upon logging in as elliot i was able to modify the php of the site to add a reverse shell.

Command: nc -lvp 80

Sweet we have a rev shell. Now lets power it up.

Command: python -c "import pty;pty.spawn('/bin/bash');"

Looking at the home folder we can see that robot is readable.

Command: ls -lah

Sweet the 2nd flag (we cannot read it currently, and admittedly i forgot to go back for it).

Command: cat password.raw-md5

Dropping the hash into the google resulted in "abcdefghijklmnopqrstuvwxyz". lul.

Command: su robot

(again i forgot to cat the 2-of-3-flag.txt file)...

I did a good amount of looking around for sudo -l, crons, etc. i found nothing much with any of them. But what i did find was a suid bit for nmap. Awesome nmap has an interactive mode. Lets see if we can get anything with it.

Command: nmap --interactive

Sweet. We got r00t. and our third flag.

w00t w00t. flag 3 ==> 04787ddef27c3dee1ee161b21670b4e4

Sorry for the abbreviated ending to this tutorial. I was trying to finish asap before the long weekend.